Last week, Pokémon Go was officially released in the U.S. and players downloaded the application in droves. Overall, gamers are reporting a mostly positive experience, after a few server issues, but security experts warn that the app isn't without its risks.
Last Friday, Adam Reeve, a Principal Architect at RedOwl, said that Pokémon Go was a huge security risk, and focused on the authentication aspects of the application.
In order to play the game, the user will need to have an account. There are two ways to authenticate, a Pokemon.com account or Google. Most players, due to a halt in new signups on Pokemon.com have opted to use their Google account.
Typically, when Google is used as the authentication method, the user is shown the level of permissions the application is going to need. But in the case of Pokémon Go, the authentication is nearly instant and the user is redirected to the login screen – with no permissions notice.
When Reeve went to confirm permissions online, he learned that Pokémon Go had full access to his Google account.
"Let me be clear - Pokemon Go and Niantic can now: Read all your email; Send email as you; Access all your Google drive documents (including deleting them); Look at your search history and your Maps navigation history; Access any private photos you may store in Google Photos, and a whole lot more," Reeve explained.
"Now, I obviously don’t think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all. I’ve revoked their access to my account, and deleted the app. I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk."
The issue is that when authentication measures such as the one being used by Niantic (the company behind Pokémon Go) are implemented, the rule of thumb is to require the least amount of permissions. For iOS players, the company has requested total control over the Google account. For those on Android, it's a bit different.
On Android, Pokémon Go has many of the same device controls required by iOS, but it doesn't have total control over a user's Google account. What it can do is take video and pictures, read and use accounts on the device, read and modify the SD card, use Google Play's billing features, and track location. (Android permissions image provided by @oscaron)
There are other concerns as well, particularly the amount of data being collected by the application.
One of the weekend debates surrounding the game focused on the GPS and location data, which could be mined and collected.
Anyone playing this game is sharing metadata – at the very least – which means details on who they are, where they live, locations they frequent, who they associate with, time spent in each location, etc. Odds are, this is more data than they initially intended, and the concern is compounded when you consider the fact that kids are playing the game too.
Salted Hash has reached out to Niantic to inquire about what data is being collected, and how it's being used. We'll update this story should they respond.
For now, if the risk is too much, uninstall the application – otherwise, just be aware of the type of data that's being collected and how it's accessed.
Update: Niantic has issued a statement on the matter. The permissions on iOS were a mistake, and they've now been fixed.
"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.
"Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."